Sophos

This article explains how to configure a Sophos for SixXS.

Part 1 describes how to configure a heartbeat-tunnel between your Sophos firewall and an IPv6 tunnel provider.

In part 2 a subnet is configured on the Sophos to allow the machines behind the firewall to connect to the Internet natively with IPv6 via the tunnel.

The configuration was tested on a Sophos UTM 9-120 with ASG 9.210-20 but should apply similarity to other Sophos units.

Part 1: Setting up a tunnel

Once your tunnel request has been approved you should have the following information:

POP v4 address (e.g. 1.2.3.4, provided by the tunnel broker) (not needed for heartbeat)
POP v6 address (e.g. 2001:db8:123::1/64, provided by the tunnel broker) 
Your v4 address (e.g. 5.6.7.8, provided by you) , Not needed for heartbeat
Your v6 address (e.g. 2001:db8:123::2/64, provided by the tunnel broker) 

1. Login to the WebAdmin webpage of your Sophos firewall, usual on port 4444
2. Go to Interfaces & Routing / IPv6 / Global, and enable IPv6
3. Go to Interfaces & Routing / IPv6 / Tunnel Broker, enable it and fill in the following information:

Authentication = User
Broker = SixXS
Username = <your username to login on www.sixxs.net and whois info>, eg ABC1-SIXXS
Password = The password of the account

After you select Apply, the firewall WILL reboot without any warnings !

1. Go to Interfaces & Routing / IPv6 / Tunnel Broker on the Advanced section, and fill in the Tunnel ID, eg T123456

The Server Address should be tic.sixxs.net

Part 2: Setting up a subnet

After requesting the subnet from SixXS you should have the following information:

IPv6 Prefix address (e.g. 2001:db8:8abc::/64)
Find the best DNS cache on [1] (e.g. nscache.eu.sixxs.net)
Find the best NTP server on [2] (e.g. ntp.eu.sixxs.net)

1. Login to the WebAdmin webpage of your Sophos firewall, usual on port 4444
2. Go to Interfaces & Routing / Interfaces, and add the IPv6 number to the internal ethernet interface (e.g. 2001:db8:8abc::1/64, do not omit the last 1)
3. Go to Support / Tools / DNS Lookup, and enter the DNS cache name (e.g. nscache.eu.sixxs.net). Select Apply, and write down one of the ipnumbers
4. Go to Network Services / DNS / Forwarders, and add the just found ipnumber to the list of forwarders. I also disabled the option "Use forwarders assigned by ISP", and added those DNS servers also as forwarders.
5. Go to Network Services / DNS / Global, and allow the internal network access to DNS.
6. Go to Management / System Settings / Time and Date / NTP Servers, and add a "DNS Group" to the NTP-pool with the dns name (e.g. ntp.eu.sixxs.net).
7. Optional: Go to Network Services / NTP, enable it, and add the internal network access to NTP. You could add DHCP option 4, with the internal address card)
8. Go to Interfaces & Routing / IPv6 / Prefix Advertisments, and add a prefix on the internal interface. Use the IPv6 firewall address (e.g.2001:db8:8abc::1) as DNS server and optional the caching DNS server of SixXS.